Rekeying a Disk using the CLI

When KeyControl rekeys a disk, it creates a new key and then begins decrypting the disk using the old key. As each block is decrypted, the Policy Agent re-encrypts it using the new key.

The following procedure applies to all types of Windows disks and to Linux data disks. You cannot, however, rekey a Linux system device (such as /root, swap, or /home) using this procedure. Instead, use the htroot rekey command as described in Rekeying a Linux System Device.

Tip: Depending on the size of the encrypted disk, the rekey process can take a long time to run. If the rekey process is interrupted on Windows, it will be resumed automatically when the disk comes back online. If the process is interrupted on Linux, you need to manually reissue the hcl rekey command to resume the process. We recommend you use the Linux nohup or screen command to avoid terminal-related interruptions during the rekey.

Procedure 

  1. For Linux, log into the VM as root. For Windows, log in as a System Administrator and open a Command Prompt or start Windows PowerShell.
  2. If you want to check the available disks on this VM, enter the hcl status command.

  3. If this VM belongs to a Cloud VM Set that uses the Single Encryption Key (SEK) option and you want to verify that there is a new version of the SEK key available, enter the hcl keyversion diskname command, where diskname is the name of the disk that you want to rekey. For Linux, use the short form of the disk name. (For example, sdb1 instead of /dev/sdb1.) For Windows, specify the drive letter or folder mount associated with the disk. (For example, f: or g:\data).

    The command returns the key version being used by the disk as well as the current SEK key version. The following example shows a disk that is currently encrypted with an older version of the SEK key:

    # hcl keyversion sdb1
keyversion: 2 SEKversion: 4

    In this case, you should rekey the disk to bring it up to date. If the key version matches the SEK version however, there is no need to rekey the disk. For more information on the SEK option, see Data Deduplication with Cloud VM Sets.

  4. If this is a Linux system and you have not enabled Online Encryption for this VM, unmount the disk you want to rekey. For more information, see Linux Online Encryption Prerequisites and Considerations.

  5. Enter the command hcl rekey [-s] diskname, where:

    • -s (Linux only) tells DataControl to only process allocated blocks which can improve performance dramatically. DataControl uses system-provided utilities to determine the allocated blocks on the disk. This option is supported for ext2, ext3, and ext4 file systems. It is not supported on XFS. (To change the speed for Windows, see Changing the Encryption/Decryption Speed on Windows.)

      Important: This option does not work if online encryption has been enabled for the VM, even if you unmount the drive during the process. If online encryption has been enabled or if the disk is mounted, using the -s option will cause the command to fail.

    • diskname is the name of the disk that you want to encrypt. For Linux, use the short form of the disk name. (For example, sdb1 instead of /dev/sdb1.) For Windows, specify the drive letter or folder mount associated with the disk. (For example, f: or g:\data).

  6. For Linux, the progress of the command is displayed automatically. For Windows, use the hcl status command to check the progress.

  7. If the rekey operation is interrupted on Windows, the Policy Agent automatically restarts it when the system comes back online. For Linux, you can:

    • Resume the rekey operation by reissuing the hcl rekey command.
    • Revert the rekey operation using the hcl rekey -u diskname command.

The following example shows the rekey operation for the Windows folder mount E:\data: 

C:\Users\Administrator> hcl rekey e:\data

C:\Users\Administrator> hcl status
Summary
--------------------------------------------------------------------------------
KeyControl: 10.238.66.232:443
KeyControl list: 10.238.66.232:443
Status: Connected
Last Heartbeat: Fri May 12 16:16:34 2017 (successful)
AES_NI: enabled
Certificate Expiration: Sep 11 22:16:13 2020 GMT

Device Details
--------------------------------------------------------------------------------
Drive      Disk Part Cipher       Status    GUID
--------------------------------------------------------------------------------
C:         0    2    none         Avail-Sys D74E94B8-0067-4652-935D-E1BA96B6E8F5
E:\data    1    1    AES-XTS-512  RK 43.89% 20500265-AC34-4966-8A40-40A98F08BEE7					

C:\Users\Administrator> hcl rekey e:\data

C:\Users\Administrator> hcl status
Summary
--------------------------------------------------------------------------------
KeyControl: 10.238.66.232:443
KeyControl list: 10.238.66.232:443
Status: Connected
Last Heartbeat: Fri May 12 16:16:34 2017 (successful)
AES_NI: enabled
Certificate Expiration: Sep 11 22:16:13 2020 GMT

Device Details
--------------------------------------------------------------------------------
Drive      Disk Part Cipher       Status    GUID
--------------------------------------------------------------------------------
C:         0    2    none         Avail-Sys D74E94B8-0067-4652-935D-E1BA96B6E8F5
E:\data    1    1    AES-XTS-512  RK 43.89% 20500265-AC34-4966-8A40-40A98F08BEE7

The RK in the status column for disk E:\data indicates that it is being rekeyed. The operation is currently 43.89% done.

The following example shows a Linux filesystem that is mounted with several files at the top directory. We unmount the filesystem, issue the rekey command, then remount it and show that the files are still accessible.

# mount /dev/mapper/clear_sdc1 /mnt
# ls /mnt
file1  file2  file3  files.tgz	lost+found/
# umount /mnt
# hcl rekey sdc1
All the data on /dev/sdc1 will be rekeyed
The clear text data will be available on /dev/mapper/clear_sdc1
This operation may take long time

Do you want to proceed? (y/n) y
Starting rekey of sdc1
In case of failure run 'hcl rekey [-u] sdc1'
total device size 10206 KB

Processing: 100% 	Time left: 00:00:00
Completed rekey of sdc1 successfully
# mount /dev/mapper/clear_sdc1 /mnt
# ls /mnt file1  file2  file3  files.tgz lost+found/

If you have rekeyed previously, you will see the following additional prompt:

# hcl rekey sdc1
WARNING: rekey operation was successfully performed for device sdc1
Run rekey again
Do you want to proceed? (y/n) y
All the data on /dev/sdc1 will be rekeyed
The clear text data will be available on /dev/mapper/clear_sdc1
This operation may take long time

Do you want to proceed? (y/n) y
Starting rekey of sdc1
In case of failure run 'hcl rekey [-u] sdc1'
total device size 10206 KB

Processing: 100% 	Time left: 00:00:00
Completed rekey of sdc1 successfully

You will also see a similar prompt if you have already encrypted or decrypted a disk.

If the operation fails for any reason, for example a system crash, run the hcl rekey command again. You will see the following:

# hcl rekey sdb1
WARNING: Incomplete rekey operation detected for device sdb1
Continue rekey
Do you want to proceed? (y/n)

If you want to reverse a rekey that only partially completed:

# hcl rekey -u sdb1
Starting undo of rekey operation on sdb1;
In case of failure run 'hcl rekey -u sdb1' again
Processing: 100% 	Time left: 00:00:00
Completed undo for sdb1 successfully